In a network configuration, a global networked server can be implemented to maintain a directory of all universal group memberships within the network for each user authorized to access the network. A single directory of user network access information maintained at a central location augments access security of the network. An example of such a network configuration would be a company having a headquarters site and one or more remotely located branch sites. The server maintaining the directory of universal group memberships is implemented at the headquarters site. Domain controllers are network servers that administrate network access to clients and/or users at the remotely located branch sites.
The networked server is a global information server implemented as a repository of global information for the network. A network can encompass many domains where each domain is a unit of security. The global information server maintains information about all of the domains in the network and provides one central information store that can be queried by the domain controllers at the networked branch sites to locate and access network-wide information and resources.
A domain controller maintains information pertaining only to the domain or domains that it is authoritative for. A domain administrator can designate users and computers within a domain as security principals, and define groups of security principals within a domain. A network administrator can define universal groups having a membership of security principals that can be from many different domains. Groups of security principals can be granted access to network resources if the group memberships of a given user account are known.
A domain controller of a company branch office maintains user account information pertaining to the users that access the company network at the particular branch office. The complete set of universal group memberships for the branch office user accounts, and for all domains in the network, however, are only available at the global information server.
Each domain controller maintains a user object for each user authorized to access the network from within a particular domain. In the example of the company having remotely located branch sites, each branch site is distinguished as a separate domain. However, two or more branch sites can be encompassed in, and administrated as, a single domain.
A domain designates a replication partition and a security unit, and is not bound by physical or geographic constraints. Typically, the size of a domain is constrained by the number of users which represent a replication unit connected through a low bandwidth link. For a low bandwidth link, it is preferable to establish a small domain. Similarly, it would be disadvantageous to implement a global information server at a location constrained by low bandwidth links.
The global information server maintains the directory of all universal group memberships and replicates a copy of all the user objects from every domain within the network. The server associates, in the directory, each replicated user object with the universal group memberships that each user is authorized to access in the network.
When a user attempts to logon to the network at a remotely located branch site, the domain controller servicing the user's logon request at the particular branch site validates the user name and password with an associated user object maintained at the domain controller. The domain controller then evaluates the user's universal group membership status prior to allowing the logon request. The domain controller does so by sending a request to the global information server where the directory having the universal group memberships that the user is a member of is maintained.
If the global information server maintaining the directory is not available to service the request from the domain controller, or if the communication link between the domain controller and the server fails (is too slow, has an intermittent connection, is unreliable, etc.), the user's logon request is denied. This is to prevent a security breach of the network. Even though a user may have provided a correct username and password, the logon request fails because the universal group membership information is not available from the global information server directory.
In such a network configuration, the universal group membership information maintained in the global information server directory is required to be available to each domain controller of the network to allow user logon and access to the network. However, it is not practical and is cost prohibitive to implement a local server to maintain a global group memberships directory at each branch office site within the network due to limited hardware resources and available network bandwidth constraints.